Watering hole attacks: Hackers lying in wait

A new type of online threat emerged this summer and, unfortunately, web security is once again at the heart of the matter.

Instead of launching brute-force attacks or spear phishing campaigns, the perpetrators targeted specific organizations and infected sites their users visited often. Clean up is ongoing and the security firms investigating these “watering hole attacks” say it’s only going to get worse.

Security firm RSA coined the term “watering hole attacks” after discovering the attackers ambush their victims much like a big cat lies in wait to ambush its prey at a watering hole.

The forensic evidence indicates a spurt of attacks took place from June 25 to July 17, 2012. It’s believed more than 32,000 end users from 731 organizations were infected, as well as more than 3,900 consumers connecting via their ISPs.

Threat profile of watering hole attacks

Here’s a basic description of how an attack unfolds:

  1. The attackers identify a target.
  2. They find out what websites a large number of its end users are likely to visit.
  3. They figure out which of these websites are vulnerable. The exploits used in the most recent span of attacks included two Adobe Flash Player and two Internet Explorer vulnerabilities.
  4. They hack into these websites and inject a JavaScript element that redirects the visitor to a separate web page that looks just like the site they’re visiting.
  5. If the user’s browser is susceptible to the exploit (i.e. they’re running Windows with a particular version of Internet Explorer), the hackers’ server executes code that exploits the end user’s Java client and then installs a version of the remote access Trojan “GhOst RAT.”

Targets and victims of watering hole attacks

Among the attackers’ targets were the defense industry (including supply chain manufacturers), non-governmental organizations (NGOs), state and federal governments, educational institutions, financial services firms, software companies and utilities.

Most of the victims were located in Washington, D.C., and Boston but there were also some in New York City and northern New Jersey. Investigators found evidence of attacks in other parts of the world, too.

The “watering hole” sites included local banks, municipal governments and non-profits.

Because GhOst RAT is hard to detect, experts recommend you seek outside help if you suspect your systems were compromised. RSA is reportedly contacting the list of 731 organizations affected.

In a recent report detailing the results of its own research into watering hole attacks, Symantec warns that companies and individuals, especially defense supply chain manufacturers, their associates and business partners, must prepare themselves for a new round of attacks in 2013. The security firm expects the hackers to use the knowledge they gained in previous attacks to launch new ones.

The most immediate course of action for IT admins is to make sure all browsers are up-to-date. For more information about secure web browsing, read 5 keys for better browser security – whichever browser is used.”

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy